CN112351010B - A LAN-based network security situational awareness system and method - Google Patents

A LAN-based network security situational awareness system and method Download PDF

Info

Publication number
CN112351010B
CN112351010B CN202011167000.2A CN202011167000A CN112351010B CN 112351010 B CN112351010 B CN 112351010B CN 202011167000 A CN202011167000 A CN 202011167000A CN 112351010 B CN112351010 B CN 112351010B
Authority
CN
China
Prior art keywords
virus
time
attack
value
threat
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Expired - Fee Related
Application number
CN202011167000.2A
Other languages
Chinese (zh)
Other versions
CN112351010A (en
Inventor
孙强强
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Binzhou University
Original Assignee
Binzhou University
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Binzhou University filed Critical Binzhou University
Priority to CN202011167000.2A priority Critical patent/CN112351010B/en
Publication of CN112351010A publication Critical patent/CN112351010A/en
Application granted granted Critical
Publication of CN112351010B publication Critical patent/CN112351010B/en
Expired - Fee Related legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/145Countermeasures against malicious traffic the attack involving the propagation of malware through the network, e.g. viruses, trojans or worms
    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y02TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
    • Y02DCLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
    • Y02D30/00Reducing energy consumption in communication networks
    • Y02D30/50Reducing energy consumption in communication networks in wire-line communication networks, e.g. low power modes or reduced link rate

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Health & Medical Sciences (AREA)
  • General Health & Medical Sciences (AREA)
  • Virology (AREA)
  • Alarm Systems (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

本发明公开了一种基于局域网的网络安全态势感知系统及方法,包括病毒监测模块、数据分析模块、控制器、存储模块、数据处理模块、CPU监控模块、网速监测模块、安全评估模块以及显示模块;数据分析模块用于接收预设时段中受到蠕虫病毒感染的主机信息并对主机信息进行分析,得到设备威胁表信息和病毒威胁表信息;数据处理模块接收病毒监测模块传输的病毒信号时进行数据分析得到攻击值Pg;CPU监控模块用于监控主机设备CPU的实时使用率,并对实时使用率进行稳态分析得到稳态值Ui;安全评估模块在接收到攻击值Pg时,会自动结合稳态值Ui、实时使用率组Fa和实时网络访问速度进行安全分析,使得到结果更加精确。

Figure 202011167000

The invention discloses a network security situation awareness system and method based on a local area network, comprising a virus monitoring module, a data analysis module, a controller, a storage module, a data processing module, a CPU monitoring module, a network speed monitoring module, a security evaluation module and a display module; the data analysis module is used to receive the host information infected by the worm virus in the preset period and analyze the host information to obtain the equipment threat table information and virus threat table information; the data processing module is used to receive the virus signal transmitted by the virus monitoring module. The attack value Pg is obtained by data analysis; the CPU monitoring module is used to monitor the real-time utilization rate of the CPU of the host device, and perform steady-state analysis on the real-time utilization rate to obtain the steady-state value Ui; when the security assessment module receives the attack value Pg, it will automatically combine The steady state value Ui, the real-time usage rate group Fa and the real-time network access speed are used for security analysis, which makes the results more accurate.

Figure 202011167000

Description

一种基于局域网的网络安全态势感知系统及方法A LAN-based network security situational awareness system and method

技术领域technical field

本发明属于网络安全领域,涉及安全感知技术,具体是一种基于局域网的网络安全态势感知系统及方法。The invention belongs to the field of network security, and relates to a security perception technology, in particular to a network security situation awareness system and method based on a local area network.

背景技术Background technique

公告号为CN105100013B的专利公开了一种感知网络安全设备的方法、网络安全设备及控制器,解决了现有技术无法实现控制器感知网络安全设备的问题。该方法包括:网络安全设备接收链路层发现协议LLDP报文;所述网络安全设备将网络安全设备的设备信息添加在所述LLDP报文中,并发送添加了所述网络安全设备的设备信息的LLDP报文至控制器,以使所述控制器通过所述LLDP报文中网络安全设备的设备信息来感知所述网络安全设备。The patent with the publication number CN105100013B discloses a method for sensing network security equipment, network security equipment and a controller, which solves the problem that the controller cannot perceive the network security equipment in the prior art. The method includes: a network security device receives a link layer discovery protocol LLDP message; the network security device adds device information of the network security device to the LLDP message, and sends the device information added with the network security device The LLDP packet is sent to the controller, so that the controller perceives the network security device through the device information of the network security device in the LLDP packet.

但是其对于网络安全的感知和监控,仅仅是依靠控制器通过所述LLDP报文中网络安全设备的设备信息来感知所述网络安全设备,其没有做到综合对系统的病毒攻击,CPU使用突变,以及相关的病毒攻击情况进行客观综合反映,得到结果不够精确,无法智能识别出高危险的主机设备,针对不同的病毒攻击实施不同的安全防护,不能为感知系统的扩大和加强提供有效的帮助;为了解决上述缺陷,现提供一种解决方案。However, its perception and monitoring of network security only relies on the controller to perceive the network security device through the device information of the network security device in the LLDP message. , and the relevant virus attacks are objectively and comprehensively reflected, the results are not accurate enough to intelligently identify high-risk host devices, and different security protections are implemented for different virus attacks, which cannot provide effective assistance for the expansion and strengthening of the perception system. ; In order to solve the above defects, a solution is now provided.

发明内容SUMMARY OF THE INVENTION

针对现有技术存在的不足,本发明目的是提供一种基于局域网的网络安全态势感知系统及方法。本发明通过对预设时段中受到蠕虫病毒感染的主机信息进行分析,得到设备威胁表信息和病毒威胁表信息,通过设备威胁表信息和病毒威胁表信息管理人员可以明确看到每个主机设备被病毒攻击的威胁性和每种病毒的威胁性;并根据设备威胁值Qi和病毒威胁值Ri的大小智能识别出高危险的主机设备,针对不同的病毒攻击实施不同的安全防护,有效加强安全防护效果;In view of the deficiencies in the prior art, the present invention aims to provide a network security situational awareness system and method based on a local area network. The invention obtains the information of the equipment threat table and the information of the virus threat table by analyzing the information of the host computer infected by the worm virus in the preset time period. The threat of virus attacks and the threat of each virus; and intelligently identify high-risk host devices according to the size of the device threat value Qi and virus threat value Ri, and implement different security protection for different virus attacks, effectively strengthening security protection Effect;

当监测到产生病毒信号时,记录此时受到病毒感染的主机信息并进行分析得到攻击值;CPU监控模块用于监控主机设备CPU的实时使用率,并对实时使用率进行稳态分析得到稳态值;安全评估模块在接收到攻击值时,会自动结合稳态值、实时使用率组和实时网络访问速度进行安全分析,得到安全估值,控制器用于对安全估值进行等级评判得到预警信号,使得到结果更加精确,便于管理人员进行处理。When a virus signal is detected, the information of the host infected by the virus at this time is recorded and analyzed to obtain the attack value; the CPU monitoring module is used to monitor the real-time utilization rate of the CPU of the host device, and perform steady-state analysis on the real-time utilization rate to obtain the steady state. When the security assessment module receives the attack value, it will automatically combine the steady-state value, real-time usage rate group and real-time network access speed to conduct security analysis to obtain a security assessment, and the controller is used to grade the security assessment to obtain an early warning signal , making the results more accurate and easy for managers to process.

本发明的目的可以通过以下技术方案实现:一种基于局域网的网络安全态势感知系统,包括病毒监测模块、数据分析模块、控制器、存储模块、数据处理模块、CPU监控模块、网速监测模块、安全评估模块以及显示模块;The object of the present invention can be achieved through the following technical solutions: a network security situational awareness system based on a local area network, comprising a virus monitoring module, a data analysis module, a controller, a storage module, a data processing module, a CPU monitoring module, a network speed monitoring module, Security evaluation module and display module;

病毒监测模块用于进行蠕虫病毒检测,获取预设时段中受到蠕虫病毒感染的主机信息,数据分析模块用于接收预设时段中受到蠕虫病毒感染的主机信息并对主机信息进行分析,得到设备威胁表信息和病毒威胁表信息;The virus monitoring module is used to detect the worm virus and obtain the information of the host infected by the worm virus in the preset period. The data analysis module is used to receive the information of the host infected by the worm virus in the preset period and analyze the host information to obtain the equipment threat. table information and virus threat table information;

病毒监测模块用于在监测到病毒时向数据处理模块传输病毒信号;数据处理模块接收病毒监测模块传输的病毒信号时进行数据分析得到攻击值Pg;The virus monitoring module is used to transmit a virus signal to the data processing module when a virus is detected; when the data processing module receives the virus signal transmitted by the virus monitoring module, data analysis is performed to obtain the attack value Pg;

数据处理模块用于将攻击值Pg传输到安全评估模块;The data processing module is used to transmit the attack value Pg to the security evaluation module;

CPU监控模块用于监控主机设备CPU的实时使用率,并对实时使用率进行稳态分析得到稳态值Ui;The CPU monitoring module is used to monitor the real-time usage rate of the host device CPU, and perform steady-state analysis on the real-time usage rate to obtain the steady-state value Ui;

CPU监控模块用于将稳态值Ui和实时使用率组Fa传输到安全评估模块;网速监测模块用于监测主机设备的实时网络访问速度并将实时网络访问速度传输到安全评估模块;The CPU monitoring module is used to transmit the steady-state value Ui and the real-time usage group Fa to the security evaluation module; the network speed monitoring module is used to monitor the real-time network access speed of the host device and transmit the real-time network access speed to the security evaluation module;

安全评估模块在接收到攻击值Pg时,会自动结合稳态值Ui、实时使用率组Fa和实时网络访问速度进行安全分析,得到安全估值AC;When the security assessment module receives the attack value Pg, it will automatically combine the steady-state value Ui, the real-time usage rate group Fa and the real-time network access speed to perform security analysis, and obtain the security assessment AC;

安全评估模块用于将安全估值AC传输到控制器,控制器用于对安全估值AC进行等级评判得到预警信号,具体为:The safety evaluation module is used to transmit the safety evaluation AC to the controller, and the controller is used to grade the safety evaluation AC to obtain an early warning signal, specifically:

AA1:当AC≤X2时,此时预警信号为轻度威胁信号;AA1: When AC≤X2, the early warning signal is a mild threat signal;

AA2:当X2<AC<X3时,此时预警信号为中度威胁信号;AA2: When X2<AC<X3, the early warning signal is a moderate threat signal;

AA3:当AC≥X3时,此时预警信号为重度威胁信号;其中X2、X3均为预设值;AA3: When AC≥X3, the early warning signal is a severe threat signal; X2 and X3 are both preset values;

控制器用于将安全估值AC传输到显示模块进行显示,并在产生轻度威胁信号、中度威胁信号和重度威胁信号时,分别对应显示“轻度威胁”、“中度威胁”和“重度威胁”字眼。The controller is used to transmit the safety assessment AC to the display module for display, and when a mild threat signal, a moderate threat signal and a severe threat signal are generated, it will display "mild threat", "moderate threat" and "severe threat" respectively. Threat" word.

进一步地,数据分析模块的具体工作步骤如下:Further, the specific working steps of the data analysis module are as follows:

步骤一:获取预设时段中受到蠕虫病毒感染的主机信息;主机信息包括主机设备编号、病毒名称、病毒攻击开始时刻以及病毒攻击结束时刻;将主机信息中的病毒攻击结束时刻与病毒攻击开始时刻进行时间差计算得到病毒攻击时长;Step 1: Obtain the information of the host infected by the worm virus in the preset time period; the host information includes the host device number, virus name, virus attack start time and virus attack end time; compare the virus attack end time and virus attack start time in the host information Calculate the time difference to get the virus attack time;

步骤二:按照主机设备编号将同一主机设备编号的被攻击次数累加形成设备攻击频次,将设备攻击频次标记为J1i;其中i表示第i个主机设备;Step 2: Accumulate the attack times of the same host device number according to the host device number to form the device attack frequency, and mark the device attack frequency as J1i; where i represents the i-th host device;

按照主机设备编号将同一主机设备编号的病毒攻击时长累加形成设备攻击总时长,将设备攻击总时长标记为J2i;设备攻击频次J1i与设备攻击总时长J2i一一对应;According to the host device number, the virus attack duration of the same host device number is accumulated to form the total device attack duration, and the total device attack duration is marked as J2i; the device attack frequency J1i corresponds to the total device attack duration J2i one-to-one;

步骤三:设定每个主机设备编号均对应一个预设值,将该主机设备编号与所有的主机设备编号进行匹配获取得到对应的设备预设值,并标记为Wi;Step 3: set each host device number to correspond to a preset value, match the host device number with all host device numbers to obtain the corresponding device preset value, and mark it as Wi;

对设备攻击频次、设备攻击总时长和设备预设值进行归一化处理并取其数值;Normalize the device attack frequency, the total duration of the device attack and the device preset value and take their values;

对设备攻击频次、设备攻击总时长和设备预设值进行权重分配,将设备攻击频次的权重标记为Z1,将设备攻击总时长的权重标记为Z2,将设备预设值的权重标记为Z3,其中Z1、Z2和Z3均为预设值且Z1>Z2>Z3;Weights are assigned to the frequency of device attack, the total duration of device attack, and the preset value of the device. Among them, Z1, Z2 and Z3 are all preset values and Z1>Z2>Z3;

步骤四:利用公式Gi=J1i×Z1+J2i×Z2+Wi×Z3分别计算每个主机设备的设备威胁值Qi;Step 4: Calculate the device threat value Qi of each host device using the formula Gi=J1i×Z1+J2i×Z2+Wi×Z3;

将主机设备按照设备威胁值Qi进行降序排列并制成设备威胁表信息;Arrange the host devices in descending order according to the device threat value Qi and make the device threat table information;

步骤五:按照病毒名称将同一病毒名称的攻击次数累加形成病毒攻击频次,将病毒攻击频次标记为J3m;其中m表示第m种病毒;Step 5: Accumulate the attack times of the same virus name according to the virus name to form the virus attack frequency, and mark the virus attack frequency as J3m; where m represents the mth virus;

按照病毒名称将同一病毒名称的病毒攻击时长累加形成病毒攻击总时长,将病毒攻击总时长标记为J4m;病毒攻击频次J3m与病毒攻击总时长J4m一一对应;According to the virus name, the virus attack duration of the same virus name is accumulated to form the total virus attack duration, and the total virus attack duration is marked as J4m; the virus attack frequency J3m corresponds to the total virus attack duration J4m one-to-one;

步骤六:设定每种病毒均对应一个预设值,将该病毒与所有的病毒进行匹配获取得到对应的病毒预设值,并标记为Bm;Step 6: Set each virus to correspond to a preset value, match the virus with all viruses to obtain the corresponding virus preset value, and mark it as Bm;

对病毒攻击频次、病毒攻击总时长和病毒预设值进行归一化处理并取其数值;Normalize the frequency of virus attacks, the total duration of virus attacks and the virus preset value and take their values;

对病毒攻击频次、病毒攻击总时长和病毒预设值进行权重分配,将病毒攻击频次的权重标记为C1,将病毒攻击总时长的权重标记为C2,将病毒预设值的权重标记为C3,其中C1、C2和C3均为预设值且C1>C2>C3;Weights are assigned to the frequency of virus attacks, the total duration of virus attacks, and the virus preset value. The weight of the virus attack frequency is marked as C1, the weight of the total virus attack duration is marked as C2, and the weight of the virus default value is marked as C3, Among them, C1, C2 and C3 are all preset values and C1>C2>C3;

步骤七:利用公式Ri=J3m×C1+J4m×C2+Bm×C3分别计算每种病毒的病毒威胁值Ri;Step 7: Use the formula Ri=J3m×C1+J4m×C2+Bm×C3 to calculate the virus threat value Ri of each virus respectively;

将病毒按照病毒威胁值Ri进行降序排列并制成病毒威胁表信息;Arrange the viruses in descending order according to the virus threat value Ri and make the virus threat table information;

数据分析模块用于将设备威胁表信息和病毒威胁表信息传输到控制器,控制器接收到数据分析模块传输的设备威胁表信息和病毒威胁表信息并将其传输到存储模块进行存储。The data analysis module is used to transmit the equipment threat table information and virus threat table information to the controller, and the controller receives the equipment threat table information and virus threat table information transmitted by the data analysis module and transmits them to the storage module for storage.

进一步地,稳态分析的具体分析过程如下:Further, the specific analysis process of the steady state analysis is as follows:

SS1:将病毒攻击开始时刻标记为t时刻,设定在t时刻采集到的CPU的实时使用率为Ft,从病毒攻击开始时刻起至病毒攻击结束时刻止,每间隔T1时间采集一次CPU的实时使用率,将CPU的实时使用率标记为Ft+x,x=1,...,n;得到实时使用率组Fa;SS1: Mark the start time of the virus attack as time t, and set the real-time usage rate of the CPU collected at time t as F t . Real-time usage rate, mark the real-time usage rate of CPU as F t+x , x=1, . . . , n; obtain the real-time usage rate group Fa;

SS2:将病毒攻击结束时刻标记为r时刻,设定在r时刻采集到的CPU的实时使用率为FrSS2: mark the end time of the virus attack as time r, and set the real-time usage rate of the CPU collected at time r as F r ;

SS3:利用公式

Figure BDA0002746138430000051
得到实时使用率组Fa距离Ft的稳偏值GL1;SS3: Utilize formulas
Figure BDA0002746138430000051
Obtain the stable bias value GL1 of the real-time usage group Fa distance F t ;

利用公式

Figure BDA0002746138430000052
得到实时使用率组Fa距离Fr的稳偏值GL2;Use the formula
Figure BDA0002746138430000052
Obtain the stable bias value GL2 of the Fa distance Fr of the real-time usage group;

SS4:利用公式Ui=GL1×D1+GL2×D2得到稳态值Ui,其中D1、D2为预设系数因子且D1>D2。SS4: Use the formula Ui=GL1×D1+GL2×D2 to obtain the steady-state value Ui, where D1 and D2 are preset coefficient factors and D1>D2.

进一步地,安全分析的具体步骤为:Further, the specific steps of the security analysis are:

DD1:当接收攻击值Pg时,获取到此时的实时使用率组Fa;DD1: When the attack value Pg is received, the real-time usage group Fa at this time is obtained;

DD2:遍历实时使用率组Fa,获取实时使用率最大值为Fmax,实时使用率最小值为Fmin;DD2: Traverse the real-time usage group Fa, and obtain the maximum real-time usage as Fmax and the minimum real-time usage as Fmin;

求取实时使用率最大值和实时使用率最小值之间的差值Fc,即Fc=Fmax-Fmin;Obtain the difference Fc between the maximum real-time usage rate and the minimum real-time usage rate, that is, Fc=Fmax-Fmin;

DD3:求取病毒攻击前后的实时使用率差值Gc,即Gc=Fr-FtDD3: Obtain the real-time usage difference Gc before and after the virus attack, that is, Gc=F r -F t ;

利用公式Cb=Fc/Gc获取得到差异比Cb;Use the formula Cb=Fc/Gc to obtain the difference ratio Cb;

DD4:获取接收到攻击值Pg时的实时网络访问速度,将实时网络访问速度标记为S1;DD4: Obtain the real-time network access speed when the attack value Pg is received, and mark the real-time network access speed as S1;

DD5:将攻击值Pg、稳态值Ui、差异比Cb和实时网络访问速度S1进行归一化处理并取其数值;DD5: Normalize the attack value Pg, the steady-state value Ui, the difference ratio Cb and the real-time network access speed S1 and take their values;

利用公式

Figure BDA0002746138430000061
获取得到安全估值AC;其中d1、d2、d3和d4均为预设比例系数,α为补偿因子,取值0.56325。Use the formula
Figure BDA0002746138430000061
Obtain the safety estimate AC; where d1, d2, d3, and d4 are all preset proportional coefficients, and α is a compensation factor, which takes a value of 0.56325.

进一步地,数据处理模块的具体工作步骤为:Further, the specific working steps of the data processing module are:

S1:当监测到产生病毒信号时,记录此时受到病毒感染的主机信息;S1: When a virus signal is detected, record the information of the host infected by the virus at this time;

S2:根据主机信息自动从存储模块获取到对应主机设备编号的设备威胁值并标记为Qc以及获取到对应病毒名称的病毒威胁值并标记为Rc;S2: According to the host information, the device threat value corresponding to the host device number is automatically obtained from the storage module and marked as Qc, and the virus threat value corresponding to the virus name is obtained and marked as Rc;

S3:获取到病毒攻击开始时刻和病毒攻击结束时刻,并将病毒攻击开始时刻与病毒攻击结束时刻进行时间差计算得到病毒攻击时长并标记为Gi;S3: Obtain the start time of the virus attack and the end time of the virus attack, and calculate the time difference between the start time of the virus attack and the end time of the virus attack to obtain the virus attack duration and mark it as Gi;

S4:利用公式

Figure BDA0002746138430000062
计算得到攻击值Pg;其中a1、a1和a3均为预设系数因子。S4: Utilize formulas
Figure BDA0002746138430000062
The attack value Pg is obtained by calculation; wherein a1, a1 and a3 are all preset coefficient factors.

一种基于局域网的网络安全态势感知方法,具体步骤如下:A network security situational awareness method based on local area network, the specific steps are as follows:

W1:对主机设备进行蠕虫病毒检测,获取预设时段中受到蠕虫病毒感染的主机信息;W1: Perform worm virus detection on the host device, and obtain the information of the host computer infected by the worm virus in the preset period;

W2:根据步骤W1中获取的主机信息,得到设备威胁表信息和病毒威胁表信息;W2: According to the host information obtained in step W1, obtain device threat table information and virus threat table information;

W3:当监测到产生病毒信号时,记录此时受到病毒感染的主机信息,分析得到攻击值Pg;具体分析步骤为:W3: When a virus signal is detected, record the host information infected by the virus at this time, and analyze to obtain the attack value Pg; the specific analysis steps are:

W31:根据主机信息自动从步骤W2中的设备威胁表信息和病毒威胁表信息中获取到对应的设备威胁值并标记为Qc以及对应的病毒威胁值并标记为Rc;W31: automatically obtain the corresponding device threat value from the device threat table information and the virus threat table information in step W2 according to the host information and mark it as Qc and the corresponding virus threat value and mark it as Rc;

W32:获取到病毒攻击开始时刻和病毒攻击结束时刻,并将病毒攻击开始时刻与病毒攻击结束时刻进行时间差计算得到病毒攻击时长并标记为Gi;W32: Obtain the start time of the virus attack and the end time of the virus attack, and calculate the time difference between the start time of the virus attack and the end time of the virus attack to obtain the virus attack duration and mark it as Gi;

W33:利用公式

Figure BDA0002746138430000071
计算得到攻击值Pg;W33: Utilize formulas
Figure BDA0002746138430000071
Calculate the attack value Pg;

W4:监控主机设备CPU的实时使用率,并对实时使用率进行稳态分析得到稳态值Ui;W4: Monitor the real-time usage rate of the host device CPU, and perform steady-state analysis on the real-time usage rate to obtain the steady-state value Ui;

W5:结合攻击值Pg、稳态值Ui、实时使用率组Fa和实时网络访问速度进行安全分析,得到安全估值AC;W5: Combine the attack value Pg, the steady-state value Ui, the real-time usage rate group Fa, and the real-time network access speed to perform security analysis, and obtain the security estimate AC;

W6:对安全估值AC进行等级评判得到预警信号,具体为:W6: The safety evaluation AC is graded to obtain early warning signals, which are as follows:

W61:当AC≤X2时,此时预警信号为轻度威胁信号;W61: When AC≤X2, the early warning signal is a mild threat signal;

W62:当X2<AC<X3时,此时预警信号为中度威胁信号;W62: When X2<AC<X3, the early warning signal is a moderate threat signal;

W63:当AC≥X3时,此时预警信号为重度威胁信号。W63: When AC≥X3, the early warning signal is a severe threat signal.

本发明的有益效果是:The beneficial effects of the present invention are:

1、本发明通过数据分析模块接收预设时段中受到蠕虫病毒感染的主机信息并对主机信息进行分析,得到设备威胁表信息和病毒威胁表信息;通过设备威胁表信息和病毒威胁表信息管理人员可以明确看到每个主机设备被病毒攻击的威胁性和每种病毒的威胁性;并根据设备威胁值Qi和病毒威胁值Ri的大小智能识别出高危险的主机设备,针对不同的病毒攻击实施不同的安全防护,有效加强安全防护效果;1. The present invention receives the host information infected by the worm virus in the preset time period through the data analysis module and analyzes the host information to obtain the equipment threat table information and the virus threat table information; through the equipment threat table information and the virus threat table information management personnel You can clearly see the threat of each host device being attacked by viruses and the threat of each virus; and intelligently identify high-risk host devices according to the size of the device threat value Qi and the virus threat value Ri, and implement them for different virus attacks. Different security protection, effectively strengthen the security protection effect;

2、本发明通过数据处理模块对遭受到的病毒攻击进行分析和判定,得到攻击值Pg;之后通过CPU监控模块对主机设备CPU的实时使用率进行监控和分析,并得到CPU的稳态值Ui;同时通过网速监测模块监测主机设备的实时网络访问速度;之后结合病毒的攻击值Pg、稳态值Ui和实时网络访问速度进行综合分析,从而得到安全估值AC,对安全估值AC进行等级评判得到预警信号,使得到结果更加精确,便于管理人员进行处理。2. The present invention analyzes and determines the virus attack suffered by the data processing module, and obtains the attack value Pg; then monitors and analyzes the real-time utilization rate of the host device CPU through the CPU monitoring module, and obtains the steady-state value Ui of the CPU At the same time, the real-time network access speed of the host device is monitored through the network speed monitoring module; then a comprehensive analysis is carried out combining the attack value Pg of the virus, the steady-state value Ui and the real-time network access speed, so as to obtain the safety evaluation AC, and the safety evaluation AC is carried out. The grade judgment gets early warning signals, which makes the results more accurate and easy for managers to deal with.

附图说明Description of drawings

为了便于本领域技术人员理解,下面结合附图对本发明作进一步的说明。In order to facilitate the understanding of those skilled in the art, the present invention will be further described below with reference to the accompanying drawings.

图1为本发明的系统框图。FIG. 1 is a system block diagram of the present invention.

具体实施方式Detailed ways

下面将结合本发明实施例中的附图,对本发明实施例中的技术方案进行清楚、完整地描述,显然,所描述的实施例仅仅是本发明一部分实施例,而不是全部的实施例。基于本发明中的实施例,本领域普通技术人员在没有作出创造性劳动前提下所获得的所有其它实施例,都属于本发明保护的范围。The technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the accompanying drawings in the embodiments of the present invention. Obviously, the described embodiments are only a part of the embodiments of the present invention, but not all of the embodiments. Based on the embodiments of the present invention, all other embodiments obtained by those of ordinary skill in the art without creative efforts shall fall within the protection scope of the present invention.

如图1所示,一种基于局域网的网络安全态势感知系统,包括病毒监测模块、数据分析模块、控制器、存储模块、数据处理模块、CPU监控模块、网速监测模块、安全评估模块以及显示模块;As shown in Figure 1, a network security situational awareness system based on LAN includes a virus monitoring module, a data analysis module, a controller, a storage module, a data processing module, a CPU monitoring module, a network speed monitoring module, a security assessment module and a display module;

病毒监测模块用于进行蠕虫病毒检测,获取预设时段中受到蠕虫病毒感染的主机信息,主机信息包括主机设备编号、病毒名称、病毒攻击开始时刻以及病毒攻击结束时刻;数据分析模块用于接收预设时段中受到蠕虫病毒感染的主机信息并对主机信息进行分析,得到设备威胁表信息和病毒威胁表信息,数据分析模块的具体工作步骤如下:The virus monitoring module is used to detect the worm virus and obtain the information of the host infected by the worm virus in the preset period. The host information includes the host device number, virus name, the start time of the virus attack and the end time of the virus attack; Set the host information infected by the worm virus in the time period and analyze the host information to obtain the device threat table information and virus threat table information. The specific working steps of the data analysis module are as follows:

步骤一:获取预设时段中受到蠕虫病毒感染的主机信息;将主机信息中的病毒攻击结束时刻与病毒攻击开始时刻进行时间差计算得到病毒攻击时长;Step 1: Obtain the information of the host infected by the worm virus in the preset time period; calculate the time difference between the end time of the virus attack and the start time of the virus attack in the host information to obtain the duration of the virus attack;

步骤二:按照主机设备编号将同一主机设备编号的被攻击次数累加形成设备攻击频次,将设备攻击频次标记为J1i;其中i表示第i个主机设备;Step 2: Accumulate the attack times of the same host device number according to the host device number to form the device attack frequency, and mark the device attack frequency as J1i; where i represents the i-th host device;

按照主机设备编号将同一主机设备编号的病毒攻击时长累加形成设备攻击总时长,将设备攻击总时长标记为J2i;设备攻击频次J1i与设备攻击总时长J2i一一对应;According to the host device number, the virus attack duration of the same host device number is accumulated to form the total device attack duration, and the total device attack duration is marked as J2i; the device attack frequency J1i corresponds to the total device attack duration J2i one-to-one;

步骤三:设定每个主机设备编号均对应一个预设值,将该主机设备编号与所有的主机设备编号进行匹配获取得到对应的设备预设值,并标记为Wi;Step 3: set each host device number to correspond to a preset value, match the host device number with all host device numbers to obtain the corresponding device preset value, and mark it as Wi;

对设备攻击频次、设备攻击总时长和设备预设值进行归一化处理并取其数值;Normalize the device attack frequency, the total duration of the device attack and the device preset value and take their values;

对设备攻击频次、设备攻击总时长和设备预设值进行权重分配,将设备攻击频次的权重标记为Z1,将设备攻击总时长的权重标记为Z2,将设备预设值的权重标记为Z3,其中Z1、Z2和Z3均为预设值且Z1>Z2>Z3;Weights are assigned to the frequency of device attack, the total duration of device attack, and the preset value of the device. Among them, Z1, Z2 and Z3 are all preset values and Z1>Z2>Z3;

步骤四:利用公式Gi=J1i×Z1+J2i×Z2+Wi×Z3分别计算每个主机设备的设备威胁值Qi;Step 4: Calculate the device threat value Qi of each host device using the formula Gi=J1i×Z1+J2i×Z2+Wi×Z3;

将主机设备按照设备威胁值Qi进行降序排列并制成设备威胁表信息;Arrange the host devices in descending order according to the device threat value Qi and make the device threat table information;

步骤五:按照病毒名称将同一病毒名称的攻击次数累加形成病毒攻击频次,将病毒攻击频次标记为J3m;其中m表示第m种病毒;Step 5: Accumulate the attack times of the same virus name according to the virus name to form the virus attack frequency, and mark the virus attack frequency as J3m; where m represents the mth virus;

按照病毒名称将同一病毒名称的病毒攻击时长累加形成病毒攻击总时长,将病毒攻击总时长标记为J4m;病毒攻击频次J3m与病毒攻击总时长J4m一一对应;According to the virus name, the virus attack duration of the same virus name is accumulated to form the total virus attack duration, and the total virus attack duration is marked as J4m; the virus attack frequency J3m corresponds to the total virus attack duration J4m one-to-one;

步骤六:设定每种病毒均对应一个预设值,将该病毒与所有的病毒进行匹配获取得到对应的病毒预设值,并标记为Bm;Step 6: Set each virus to correspond to a preset value, match the virus with all viruses to obtain the corresponding virus preset value, and mark it as Bm;

对病毒攻击频次、病毒攻击总时长和病毒预设值进行归一化处理并取其数值;Normalize the frequency of virus attacks, the total duration of virus attacks and the virus preset value and take their values;

对病毒攻击频次、病毒攻击总时长和病毒预设值进行权重分配,将病毒攻击频次的权重标记为C1,将病毒攻击总时长的权重标记为C2,将病毒预设值的权重标记为C3,其中C1、C2和C3均为预设值且C1>C2>C3;Weights are assigned to the frequency of virus attacks, the total duration of virus attacks, and the virus preset value. The weight of the virus attack frequency is marked as C1, the weight of the total virus attack duration is marked as C2, and the weight of the virus default value is marked as C3, Among them, C1, C2 and C3 are all preset values and C1>C2>C3;

步骤七:利用公式Ri=J3m×C1+J4m×C2+Bm×C3分别计算每种病毒的病毒威胁值Ri;Step 7: Use the formula Ri=J3m×C1+J4m×C2+Bm×C3 to calculate the virus threat value Ri of each virus respectively;

将病毒按照病毒威胁值Ri进行降序排列并制成病毒威胁表信息;Arrange the viruses in descending order according to the virus threat value Ri and make the virus threat table information;

数据分析模块用于将设备威胁表信息和病毒威胁表信息传输到控制器,控制器接收到数据分析模块传输的设备威胁表信息和病毒威胁表信息并将其传输到存储模块进行存储;The data analysis module is used to transmit the equipment threat table information and virus threat table information to the controller, and the controller receives the equipment threat table information and virus threat table information transmitted by the data analysis module and transmits them to the storage module for storage;

通过设备威胁表信息和病毒威胁表信息管理人员可以明确看到每个主机设备被病毒攻击的威胁性和每种病毒的威胁性;并根据设备威胁值Qi和病毒威胁值Ri的大小智能识别出高危险的主机设备,针对不同的病毒攻击实施不同的安全防护,有效加强安全防护效果;Through the device threat table information and virus threat table information, managers can clearly see the threat of each host device being attacked by viruses and the threat of each virus; and intelligently identify the size of the device threat value Qi and virus threat value Ri. For high-risk host devices, different security protections are implemented for different virus attacks, which effectively strengthens the security protection effect;

病毒监测模块用于在监测到病毒时向数据处理模块传输病毒信号;数据处理模块接收病毒监测模块传输的病毒信号时进行数据分析得到攻击值Pg;数据处理模块的具体工作步骤为:The virus monitoring module is used to transmit the virus signal to the data processing module when the virus is detected; the data processing module performs data analysis to obtain the attack value Pg when receiving the virus signal transmitted by the virus monitoring module; the specific working steps of the data processing module are:

S1:当监测到产生病毒信号时,记录此时受到病毒感染的主机信息;S1: When a virus signal is detected, record the information of the host infected by the virus at this time;

S2:根据主机信息自动从存储模块获取到对应主机设备编号的设备威胁值并标记为Qc以及获取到对应病毒名称的病毒威胁值并标记为Rc;S2: According to the host information, the device threat value corresponding to the host device number is automatically obtained from the storage module and marked as Qc, and the virus threat value corresponding to the virus name is obtained and marked as Rc;

S3:获取到病毒攻击开始时刻和病毒攻击结束时刻,并将病毒攻击开始时刻与病毒攻击结束时刻进行时间差计算得到病毒攻击时长并标记为Gi;S3: Obtain the start time of the virus attack and the end time of the virus attack, and calculate the time difference between the start time of the virus attack and the end time of the virus attack to obtain the virus attack duration and mark it as Gi;

S4:利用公式

Figure BDA0002746138430000101
计算得到攻击值Pg;其中a1、a1和a3均为预设系数因子;S4: Utilize formulas
Figure BDA0002746138430000101
Calculate the attack value Pg; where a1, a1 and a3 are all preset coefficient factors;

数据处理模块用于将攻击值Pg传输到安全评估模块;The data processing module is used to transmit the attack value Pg to the security evaluation module;

CPU监控模块用于监控主机设备CPU的实时使用率,并对实时使用率进行稳态分析得到稳态值Ui;稳态分析的具体分析过程如下:The CPU monitoring module is used to monitor the real-time usage rate of the host device CPU, and perform steady-state analysis on the real-time usage rate to obtain the steady-state value Ui; the specific analysis process of the steady-state analysis is as follows:

SS1:将病毒攻击开始时刻标记为t时刻,设定在t时刻采集到的CPU的实时使用率为Ft,从病毒攻击开始时刻起至病毒攻击结束时刻止,每间隔T1时间采集一次CPU的实时使用率,将CPU的实时使用率标记为Ft+x,x=1,...,n;得到实时使用率组Fa;SS1: Mark the start time of the virus attack as time t, and set the real-time usage rate of the CPU collected at time t as F t . Real-time usage rate, mark the real-time usage rate of CPU as F t+x , x=1, . . . , n; obtain the real-time usage rate group Fa;

SS2:将病毒攻击结束时刻标记为r时刻,设定在r时刻采集到的CPU的实时使用率为Fr;其中t+x时刻为最接近r时刻的时刻;SS2: Mark the end time of the virus attack as time r, and set the real-time usage rate of the CPU collected at time r as F r ; where time t+x is the time closest to time r;

SS3:利用公式

Figure BDA0002746138430000111
得到实时使用率组Fa距离Ft的稳偏值GL1;SS3: Utilize formulas
Figure BDA0002746138430000111
Obtain the stable bias value GL1 of the real-time usage group Fa distance F t ;

利用公式

Figure BDA0002746138430000112
得到实时使用率组Fa距离Fr的稳偏值GL2;Use the formula
Figure BDA0002746138430000112
Obtain the stable bias value GL2 of the Fa distance Fr of the real-time usage group;

SS4:利用公式Ui=GL1×D1+GL2×D2得到稳态值Ui,其中D1、D2为预设系数因子且D1>D2;SS4: Use the formula Ui=GL1×D1+GL2×D2 to obtain the steady-state value Ui, where D1 and D2 are preset coefficient factors and D1>D2;

CPU监控模块用于将稳态值Ui和实时使用率组Fa传输到安全评估模块;网速监测模块用于监测主机设备的实时网络访问速度并将实时网络访问速度传输到安全评估模块;The CPU monitoring module is used to transmit the steady-state value Ui and the real-time usage group Fa to the security evaluation module; the network speed monitoring module is used to monitor the real-time network access speed of the host device and transmit the real-time network access speed to the security evaluation module;

安全评估模块在接收到攻击值Pg时,会自动结合稳态值Ui、实时使用率组Fa和实时网络访问速度进行安全分析,安全分析的具体步骤为:When the security assessment module receives the attack value Pg, it will automatically combine the steady state value Ui, the real-time usage rate group Fa and the real-time network access speed to perform security analysis. The specific steps of security analysis are:

DD1:当接收攻击值Pg时,获取到此时的实时使用率组Fa;DD1: When the attack value Pg is received, the real-time usage group Fa at this time is obtained;

DD2:遍历实时使用率组Fa,获取实时使用率最大值为Fmax,实时使用率最小值为Fmin;DD2: Traverse the real-time usage group Fa, and obtain the maximum real-time usage as Fmax and the minimum real-time usage as Fmin;

求取实时使用率最大值和实时使用率最小值之间的差值Fc,即Fc=Fmax-Fmin;Obtain the difference Fc between the maximum real-time usage rate and the minimum real-time usage rate, that is, Fc=Fmax-Fmin;

DD3:求取病毒攻击前后的实时使用率差值Gc,即Gc=Fr-FtDD3: Obtain the real-time usage difference Gc before and after the virus attack, that is, Gc=F r -F t ;

利用公式Cb=Fc/Gc获取得到差异比Cb;Use the formula Cb=Fc/Gc to obtain the difference ratio Cb;

DD4:获取到接收到攻击值Pg时的实时网络访问速度,将实时网络访问速度标记为S1;DD4: Obtain the real-time network access speed when the attack value Pg is received, and mark the real-time network access speed as S1;

DD5:将攻击值Pg、稳态值Ui、差异比Cb和实时网络访问速度S1进行归一化处理并取其数值;DD5: Normalize the attack value Pg, the steady-state value Ui, the difference ratio Cb and the real-time network access speed S1 and take their values;

利用公式

Figure BDA0002746138430000121
获取得到安全估值AC;其中d1、d2、d3和d4均为预设比例系数,α为补偿因子,取值0.56325;Use the formula
Figure BDA0002746138430000121
Obtain the safety estimate AC; where d1, d2, d3 and d4 are preset proportional coefficients, and α is the compensation factor, which is 0.56325;

安全评估模块用于将安全估值AC传输到控制器,控制器用于对安全估值AC进行等级评判得到预警信号,具体为:The safety evaluation module is used to transmit the safety evaluation AC to the controller, and the controller is used to grade the safety evaluation AC to obtain an early warning signal, specifically:

AA1:当AC≤X2时,此时预警信号为轻度威胁信号;AA1: When AC≤X2, the early warning signal is a mild threat signal;

AA2:当X2<AC<X3时,此时预警信号为中度威胁信号;AA2: When X2<AC<X3, the early warning signal is a moderate threat signal;

AA3:当AC≥X3时,此时预警信号为重度威胁信号;其中X2、X3均为预设值;AA3: When AC≥X3, the early warning signal is a severe threat signal; X2 and X3 are both preset values;

控制器用于将安全估值AC传输到显示模块进行显示,并在产生轻度威胁信号、中度威胁信号和重度威胁信号时,分别对应显示“轻度威胁”、“中度威胁”和“重度威胁”字眼。The controller is used to transmit the safety assessment AC to the display module for display, and when a mild threat signal, a moderate threat signal and a severe threat signal are generated, it will display "mild threat", "moderate threat" and "severe threat" respectively. Threat" word.

一种基于局域网的网络安全态势感知方法,具体步骤如下:A network security situational awareness method based on local area network, the specific steps are as follows:

W1:对主机设备进行蠕虫病毒检测,获取预设时段中受到蠕虫病毒感染的主机信息;W1: Perform worm virus detection on the host device, and obtain the information of the host computer infected by the worm virus in the preset period;

W2:根据步骤W1中获取的主机信息,得到设备威胁表信息和病毒威胁表信息;W2: According to the host information obtained in step W1, obtain device threat table information and virus threat table information;

W3:当监测到产生病毒信号时,记录此时受到病毒感染的主机信息,分析得到攻击值Pg;具体分析步骤为:W3: When a virus signal is detected, record the host information infected by the virus at this time, and analyze to obtain the attack value Pg; the specific analysis steps are:

W31:根据主机信息自动从步骤W2中的设备威胁表信息和病毒威胁表信息中获取到对应的设备威胁值并标记为Qc以及对应的病毒威胁值并标记为Rc;W31: automatically obtain the corresponding device threat value from the device threat table information and the virus threat table information in step W2 according to the host information and mark it as Qc and the corresponding virus threat value and mark it as Rc;

W32:获取到病毒攻击开始时刻和病毒攻击结束时刻,并将病毒攻击开始时刻与病毒攻击结束时刻进行时间差计算得到病毒攻击时长并标记为Gi;W32: Obtain the start time of the virus attack and the end time of the virus attack, and calculate the time difference between the start time of the virus attack and the end time of the virus attack to obtain the virus attack duration and mark it as Gi;

W33:利用公式

Figure BDA0002746138430000131
计算得到攻击值Pg;W33: Utilize formulas
Figure BDA0002746138430000131
Calculate the attack value Pg;

W4:监控主机设备CPU的实时使用率,并对实时使用率进行稳态分析得到稳态值Ui;W4: Monitor the real-time usage rate of the host device CPU, and perform steady-state analysis on the real-time usage rate to obtain the steady-state value Ui;

W5:结合攻击值Pg、稳态值Ui、实时使用率组Fa和实时网络访问速度进行安全分析,得到安全估值AC;W5: Combine the attack value Pg, the steady-state value Ui, the real-time usage rate group Fa, and the real-time network access speed to perform security analysis, and obtain the security estimate AC;

W6:对安全估值AC进行等级评判得到预警信号,具体为:W6: The safety evaluation AC is graded to obtain early warning signals, which are as follows:

W61:当AC≤X2时,此时预警信号为轻度威胁信号;W61: When AC≤X2, the early warning signal is a mild threat signal;

W62:当X2<AC<X3时,此时预警信号为中度威胁信号;W62: When X2<AC<X3, the early warning signal is a moderate threat signal;

W63:当AC≥X3时,此时预警信号为重度威胁信号;其中X2、X3均为预设值。W63: When AC≥X3, the early warning signal is a severe threat signal; X2 and X3 are both preset values.

一种基于局域网的网络安全态势感知系统及方法,在工作时,首先病毒监测模块用于进行蠕虫病毒检测,获取预设时段中受到蠕虫病毒感染的主机信息,数据分析模块用于接收预设时段中受到蠕虫病毒感染的主机信息并对主机信息进行分析,得到设备威胁表信息和病毒威胁表信息;将主机信息中的病毒攻击结束时刻与病毒攻击开始时刻进行时间差计算得到病毒攻击时长;按照主机设备编号将同一主机设备编号的被攻击次数累加形成设备攻击频次,按照主机设备编号将同一主机设备编号的病毒攻击时长累加形成设备攻击总时长,设定每个主机设备编号均对应一个预设值,将该主机设备编号与所有的主机设备编号进行匹配获取得到对应的设备预设值,利用公式Gi=J1i×Z1+J2i×Z2+Wi×Z3分别计算每个主机设备的设备威胁值Qi;将主机设备按照设备威胁值Qi进行降序排列并制成设备威胁表信息;按照病毒名称将同一病毒名称的攻击次数累加形成病毒攻击频次,按照病毒名称将同一病毒名称的病毒攻击时长累加形成病毒攻击总时长,设定每种病毒均对应一个预设值,将该病毒与所有的病毒进行匹配获取得到对应的病毒预设值,利用公式Ri=J3m×C1+J4m×C2+Bm×C3分别计算每种病毒的病毒威胁值Ri;将病毒按照病毒威胁值Ri进行降序排列并制成病毒威胁表信息;通过设备威胁表信息和病毒威胁表信息管理人员可以明确看到每个主机设备被病毒攻击的威胁性和每种病毒的威胁性;并根据设备威胁值Qi和病毒威胁值Ri的大小智能识别出高危险的主机设备,针对不同的病毒攻击实施不同的安全防护,有效加强安全防护效果;A network security situational awareness system and method based on a local area network. When working, firstly, a virus monitoring module is used for worm virus detection, and information on hosts infected by worm virus in a preset period of time is obtained, and a data analysis module is used for receiving the preset period of time. worm-infected host information and analyze the host information to obtain device threat table information and virus threat table information; calculate the time difference between the end time of the virus attack and the start time of the virus attack in the host information to obtain the virus attack duration; Device number The attack times of the same host device number are accumulated to form the device attack frequency, and the virus attack duration of the same host device number is accumulated according to the host device number to form the total duration of the device attack. Each host device number is set to correspond to a preset value , match the host device number with all host device numbers to obtain the corresponding device preset value, and use the formula Gi=J1i×Z1+J2i×Z2+Wi×Z3 to calculate the device threat value Qi of each host device respectively; Arrange the host devices in descending order according to the device threat value Qi and form the device threat table information; according to the virus name, the attack times of the same virus name are accumulated to form the virus attack frequency, and the virus attack time of the same virus name is accumulated according to the virus name to form the virus attack. For the total duration, each virus is set to correspond to a preset value, and the virus is matched with all viruses to obtain the corresponding virus preset value, which is calculated using the formula Ri=J3m×C1+J4m×C2+Bm×C3 respectively The virus threat value Ri of each virus; sort the viruses in descending order according to the virus threat value Ri and make the virus threat table information; through the device threat table information and virus threat table information, managers can clearly see that each host device is attacked by viruses The threat of each virus and the threat of each virus; and intelligently identify high-risk host devices according to the size of the device threat value Qi and the virus threat value Ri, and implement different security protection for different virus attacks, effectively strengthening the security protection effect;

当监测到产生病毒信号时,记录此时受到病毒感染的主机信息并进行分析得到攻击值Pg;根据主机信息自动从存储模块获取到对应主机设备编号的设备威胁值并标记为Qc以及获取到对应病毒名称的病毒威胁值并标记为Rc,利用公式

Figure BDA0002746138430000141
计算得到攻击值Pg,CPU监控模块用于监控主机设备CPU的实时使用率,并对实时使用率进行稳态分析得到稳态值Ui;安全评估模块在接收到攻击值Pg时,会自动结合稳态值Ui、实时使用率组Fa和实时网络访问速度进行安全分析,利用公式
Figure BDA0002746138430000142
获取得到安全估值AC,控制器用于对安全估值AC进行等级评判得到预警信号;并在产生轻度威胁信号、中度威胁信号和重度威胁信号时,分别在显示模块对应显示“轻度威胁”、“中度威胁”和“重度威胁”字眼;本发明通过数据处理模块对遭受到的病毒攻击进行分析和判定,得到攻击值Pg;之后通过CPU监控模块对主机设备CPU的实时使用率进行监控和分析,并得到CPU的稳态值Ui;同时通过网速监测模块监测主机设备的实时网络访问速度;之后结合病毒的攻击值Pg、稳态值Ui和实时网络访问速度进行综合分析,从而得到安全估值AC,对安全估值AC进行等级评判得到预警信号,使得到结果更加精确,便于管理人员进行处理。When a virus signal is detected, record the information of the host infected by the virus at this time and analyze it to obtain the attack value Pg; automatically obtain the device threat value corresponding to the host device number from the storage module according to the host information, mark it as Qc, and obtain the corresponding The virus threat value of the virus name and marked as Rc, using the formula
Figure BDA0002746138430000141
The attack value Pg is calculated and obtained, and the CPU monitoring module is used to monitor the real-time utilization rate of the host device CPU, and perform steady-state analysis on the real-time utilization rate to obtain the steady-state value Ui; when the security assessment module receives the attack value Pg, it will automatically combine the state value Ui, real-time usage rate group Fa and real-time network access speed for security analysis, using formula
Figure BDA0002746138430000142
The safety evaluation AC is obtained, and the controller is used to grade the safety evaluation AC to obtain an early warning signal; and when a mild threat signal, a moderate threat signal and a severe threat signal are generated, the display module correspondingly displays “Mild Threat”. ”, “moderate threat” and “severe threat”; the present invention analyzes and determines the virus attack suffered by the data processing module, and obtains the attack value Pg; then the real-time utilization rate of the host device CPU is carried out by the CPU monitoring module. Monitor and analyze, and obtain the steady-state value Ui of the CPU; at the same time, monitor the real-time network access speed of the host device through the network speed monitoring module; then combine the virus attack value Pg, the steady-state value Ui and the real-time network access speed to conduct a comprehensive analysis, thereby The safety evaluation AC is obtained, and the safety evaluation AC is graded to obtain an early warning signal, which makes the result more accurate and is convenient for management personnel to deal with.

上述公式均是由采集大量数据进行软件模拟及相应专家进行参数设置处理,得到与真实结果符合的公式。The above formulas are obtained by collecting a large amount of data for software simulation and corresponding experts for parameter setting processing, and obtaining formulas that are consistent with the real results.

以上公开的本发明优选实施例只是用于帮助阐述本发明。优选实施例并没有详尽叙述所有的细节,也不限制该发明仅为的具体实施方式。显然,根据本说明书的内容,可作很多的修改和变化。本说明书选取并具体描述这些实施例,是为了更好地解释本发明的原理和实际应用,从而使所属技术领域技术人员能很好地理解和利用本发明。本发明仅受权利要求书及其全部范围和等效物的限制。The above-disclosed preferred embodiments of the present invention are provided only to help illustrate the present invention. The preferred embodiments do not describe all the details and do not limit the invention to specific embodiments only. Obviously, many modifications and variations are possible in light of the content of this specification. The present specification selects and specifically describes these embodiments in order to better explain the principles and practical applications of the present invention, so that those skilled in the art can well understand and utilize the present invention. The present invention is to be limited only by the claims and their full scope and equivalents.

Claims (2)

1. A network security situation perception system based on a local area network is characterized by comprising a virus monitoring module, a data analysis module, a controller, a storage module, a data processing module, a CPU monitoring module, a network speed monitoring module, a security evaluation module and a display module;
the virus monitoring module is used for detecting the worm virus and acquiring host information infected by the worm virus in a preset time period; the data analysis module is used for receiving host information infected by the worm virus in a preset time period and analyzing the host information to obtain equipment threat table information and virus threat table information; the specific analysis steps are as follows:
the method comprises the following steps: acquiring host information infected by the worm virus in a preset time period; the host information comprises a host equipment number, a virus name, a virus attack starting time and a virus attack finishing time; calculating the time difference between the virus attack ending time and the virus attack starting time in the host information to obtain the virus attack duration;
step two: accumulating the attacked times of the same host equipment number according to the host equipment number to form equipment attack frequency, and marking the equipment attack frequency as J1 i; wherein i represents the ith host device;
accumulating the virus attack duration of the same host equipment number according to the host equipment number to form total equipment attack duration, and marking the total equipment attack duration as J2 i; the equipment attack frequency J1i corresponds to the total equipment attack duration J2i one by one;
step three: setting that each host equipment number corresponds to a preset value, matching the host equipment number with all the host equipment numbers to obtain corresponding equipment preset values, and marking the equipment preset values as Wi;
carrying out weight distribution on the equipment attack frequency, the equipment attack total time length and an equipment preset value, marking the weight of the equipment attack frequency as Z1, marking the weight of the equipment attack total time length as Z2, and marking the weight of the equipment preset value as Z3, wherein Z1, Z2 and Z3 are preset values, and Z1 is more than Z2 and more than Z3;
step four: respectively calculating a device threat value Qi of each host device by using a formula Qi = J1i xZ 1+ J2i xZ 2+ Wi xZ 3;
arranging host equipment in a descending order according to the equipment threat values Qi and making equipment threat table information;
step five: accumulating the attack times of the same virus name according to the virus name to form virus attack frequency, and marking the virus attack frequency as J3 m; wherein m represents the mth virus;
accumulating the virus attack durations of the same virus name according to the virus name to form a total virus attack duration J4 m; the virus attack frequency J3m corresponds to the total virus attack duration J4m one by one;
step six: setting each virus to correspond to a preset value, matching the virus with all the viruses to obtain corresponding preset virus values, and marking the preset virus values as Bm;
carrying out weight distribution on the virus attack frequency, the total virus attack duration and a virus preset value, marking the weight of the virus attack frequency as C1, marking the weight of the total virus attack duration as C2, and marking the weight of the virus preset value as C3, wherein C1, C2 and C3 are preset values, and C1 is more than C2 and more than C3;
step seven: calculating a virus threat value Ri of each virus by using a formula Ri = J3m × C1+ J4m × C2+ Bm × C3 respectively; arranging viruses in a descending order according to the virus threat value Ri and making virus threat table information;
the data analysis module is used for transmitting the equipment threat table information and the virus threat table information to the controller, and the controller receives the equipment threat table information and the virus threat table information transmitted by the data analysis module and transmits the equipment threat table information and the virus threat table information to the storage module for storage;
the virus monitoring module is used for transmitting a virus signal to the data processing module when a virus is monitored; the data processing module analyzes the virus signal transmitted by the virus monitoring module to obtain an attack value Pg when receiving the virus signal; the specific analysis steps are as follows:
s1: when the virus signal is monitored to be generated, recording host information infected by the virus at the moment;
s2: automatically acquiring a device threat value corresponding to the host device number from a storage module according to host information, marking the device threat value as Qc, and acquiring a virus threat value corresponding to a virus name, marking the virus threat value as Rc;
s3: acquiring the start time and the end time of the virus attack, and calculating the time difference between the start time and the end time of the virus attack to obtain the virus attack duration and marking the virus attack duration as Gi;
s4: using formulas
Figure DEST_PATH_IMAGE002
Calculating to obtain an attack value Pg; wherein a1, a1 and a3 are all preset coefficient factors; the data processing module is used for transmitting the attack value Pg to the security evaluation module;
the CPU monitoring module is used for monitoring the real-time utilization rate of a CPU of the host equipment and carrying out steady-state analysis on the real-time utilization rate to obtain a steady-state value Ui; the specific analysis process is as follows:
SS 1: marking the start time of virus attack as t time, and setting the real-time utilization rate of the CPU acquired at the t time as FtCollecting the real-time utilization rate of the CPU once every T1 time from the start time of virus attack to the end time of virus attack, and collecting the real-time utilization rate of the CPUUsage flag is Ft+xX is 1.., n; obtaining a real-time utilization rate group Fa;
SS 2: marking the end time of the virus attack as r time, and setting the real-time utilization rate of the CPU acquired at the r time as Fr
SS 3: using formulas
Figure DEST_PATH_IMAGE004
Obtaining a real-time usage group Fa distance FtSteady deviation value GL 1; using formulas
Figure DEST_PATH_IMAGE006
Obtaining a real-time usage group Fa distance FrSteady deviation value GL 2;
SS 4: obtaining a steady state value Ui by using a formula Ui = GL1 × D1+ GL2 × D2, wherein D1 and D2 are preset coefficient factors and D1> D2;
the CPU monitoring module is used for transmitting the steady state value Ui and the real-time utilization rate group Fa to the safety evaluation module; the network speed monitoring module is used for monitoring the real-time network access speed of the host equipment and transmitting the real-time network access speed to the security evaluation module;
when the security evaluation module receives the attack value Pg, the security evaluation module automatically combines the steady state value Ui, the real-time utilization rate group Fa and the real-time network access speed to perform security analysis to obtain a security evaluation value AC; the specific analysis steps are as follows:
DD 1: when receiving the attack value Pg, acquiring a real-time utilization rate group Fa at the moment;
DD 2: traversing the real-time utilization rate group Fa, and acquiring the maximum value of the real-time utilization rate as Fmax and the minimum value of the real-time utilization rate as Fmin; calculating a difference value Fc between the maximum value of the real-time utilization rate and the minimum value of the real-time utilization rate, namely Fc = Fmax-Fmin;
DD 3: calculating the real-time utilization rate difference Gc before and after the virus attack, namely Gc = Fr-Ft
Obtaining difference ratio Cb by using a formula Cb = Fc/Gc;
DD 4: acquiring the real-time network access speed when the attack value Pg is received, and marking the real-time network access speed as S1;
DD 5: using a formula
Figure DEST_PATH_IMAGE008
Obtaining a safety evaluation value AC; d1, d2, d3 and d4 are all preset proportionality coefficients, and alpha is a compensation factor and takes the value 0.56325;
the safety evaluation module is used for transmitting the safety evaluation value AC to the controller, and the controller is used for carrying out grade evaluation on the safety evaluation value AC to obtain an early warning signal, and specifically comprises the following steps:
AA 1: when the AC is less than or equal to X2, the early warning signal is a light threat signal;
AA 2: when X2< AC < X3, the pre-warning signal is a moderate threat signal at this time;
AA 3: when the AC is larger than or equal to X3, the early warning signal is a severe threat signal; wherein X2 and X3 are preset values;
the controller is used for transmitting the security evaluation value AC to the display module for displaying, and correspondingly displaying words of 'light threat', 'moderate threat' and 'severe threat' when generating a light threat signal, a moderate threat signal and a severe threat signal.
2. A network security situation awareness method based on a local area network, applied to the network security situation awareness system based on the local area network as claimed in claim 1, the method is characterized by comprising the following specific steps:
w1: detecting the worm virus of the host equipment, and acquiring host information infected by the worm virus in a preset time period;
w2: obtaining equipment threat table information and virus threat table information according to the host information obtained in the step W1;
w3: when a virus signal is monitored to be generated, recording host information infected by the virus at the moment, and analyzing to obtain an attack value Pg; the specific analysis steps are as follows:
w31: automatically acquiring corresponding device threat values from the device threat table information and the virus threat table information in the step W2 according to the host information, and marking the device threat values as Qc and the corresponding virus threat values as Rc;
w32: acquiring the start time and the end time of the virus attack, and calculating the time difference between the start time and the end time of the virus attack to obtain the virus attack duration and marking the virus attack duration as Gi;
w33: using formulas
Figure DEST_PATH_IMAGE002A
Calculating to obtain an attack value Pg; wherein a1, a1 and a3 are all preset coefficient factors;
w4: monitoring the real-time utilization rate of a CPU of the host equipment, and performing steady-state analysis on the real-time utilization rate to obtain a steady-state value Ui;
w5: performing security analysis by combining the attack value Pg, the steady state value Ui, the real-time utilization rate group Fa and the real-time network access speed to obtain a security evaluation value AC;
w6: the method comprises the following steps of carrying out grade judgment on a safety evaluation value AC to obtain an early warning signal, specifically:
w61: when the AC is less than or equal to X2, the early warning signal is a light threat signal;
w62: when X2< AC < X3, the pre-warning signal is a moderate threat signal at this time;
w63: when AC is larger than or equal to X3, the early warning signal is a serious threat signal.
CN202011167000.2A 2020-10-27 2020-10-27 A LAN-based network security situational awareness system and method Expired - Fee Related CN112351010B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202011167000.2A CN112351010B (en) 2020-10-27 2020-10-27 A LAN-based network security situational awareness system and method

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202011167000.2A CN112351010B (en) 2020-10-27 2020-10-27 A LAN-based network security situational awareness system and method

Publications (2)

Publication Number Publication Date
CN112351010A CN112351010A (en) 2021-02-09
CN112351010B true CN112351010B (en) 2022-05-17

Family

ID=74359202

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202011167000.2A Expired - Fee Related CN112351010B (en) 2020-10-27 2020-10-27 A LAN-based network security situational awareness system and method

Country Status (1)

Country Link
CN (1) CN112351010B (en)

Families Citing this family (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113254978B (en) * 2021-06-24 2021-09-21 国能大渡河大数据服务有限公司 Data security management system based on machine learning
CN113507456B (en) * 2021-06-25 2022-08-19 中标慧安信息技术股份有限公司 Illegal attack monitoring method for Internet of things platform
CN116668194B (en) * 2023-07-27 2023-10-10 北京弘明复兴信息技术有限公司 Network security situation assessment system based on Internet centralized control platform

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107679768A (en) * 2017-10-25 2018-02-09 中国南方电网有限责任公司 A kind of Situation Awareness System and its construction method based on real-time data of power grid
CN109067596A (en) * 2018-09-21 2018-12-21 南京南瑞继保电气有限公司 A kind of substation network security postures cognitive method and system

Family Cites Families (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20180262525A1 (en) * 2017-03-09 2018-09-13 General Electric Company Multi-modal, multi-disciplinary feature discovery to detect cyber threats in electric power grid
CN109302408B (en) * 2018-10-31 2020-07-28 西安交通大学 Network security situation assessment method
CN110716476B (en) * 2019-11-08 2021-02-12 珠海市鸿瑞信息技术股份有限公司 Industrial control system network security situation perception system based on artificial intelligence
CN111652496B (en) * 2020-05-28 2023-09-05 中国能源建设集团广东省电力设计研究院有限公司 Running risk assessment method and device based on network security situation awareness system

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107679768A (en) * 2017-10-25 2018-02-09 中国南方电网有限责任公司 A kind of Situation Awareness System and its construction method based on real-time data of power grid
CN109067596A (en) * 2018-09-21 2018-12-21 南京南瑞继保电气有限公司 A kind of substation network security postures cognitive method and system

Also Published As

Publication number Publication date
CN112351010A (en) 2021-02-09

Similar Documents

Publication Publication Date Title
CN112351010B (en) A LAN-based network security situational awareness system and method
CN112257063B (en) Cooperative game theory-based detection method for backdoor attacks in federal learning
CN110716476B (en) Industrial control system network security situation perception system based on artificial intelligence
CN116127456A (en) A virus intrusion detection system and method based on network security situation awareness
CN116506275A (en) A communication network failure early warning method and system based on artificial intelligence
CN107860425A (en) Bridge structure health monitoring and early warning system and method
CN118400291A (en) A communication information monitoring method and system
CN107404471A (en) One kind is based on ADMM algorithm network flow abnormal detecting methods
CN107633633A (en) Broken early warning system outside a kind of circuit
CN117788187A (en) Risk identification system based on enterprise management
CN112834871B (en) A system and method for on-line monitoring of insulation faults of high-voltage large-length cables
CN107895598A (en) A kind of epidemic prevention management system based on electronic map
CN115774159A (en) Fault detection system for power unit of high-voltage frequency converter
CN115793526A (en) A method and system for monitoring operating parameters of generating sets based on information fusion
CN110830464B (en) A network traffic anomaly detection system
CN114792457A (en) Method and device for intelligently monitoring fire of photovoltaic module in photovoltaic field area
WO2021118218A1 (en) Virtual monitoring management method for devices through motion tracking of devices
CN112307415A (en) Online detection method for abnormal data values of digital education recording and broadcasting system
CN110164095A (en) A kind of solid intelligent air monitor and alarm system
CN107450030A (en) A kind of communication storage battery telemetry data reduction processing method, apparatus and system
CN104503441B (en) Process fault monitoring method based on improved dynamic visible graph
CN119416227B (en) Information leakage risk early warning system and method for scientific research management
CN116886380B (en) Botnet detection method and system
CN118611979B (en) A monitoring system for information network engineering supervision
CN119249458B (en) Ecological environment monitoring and supervising system

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant
CF01 Termination of patent right due to non-payment of annual fee

Granted publication date: 20220517

CF01 Termination of patent right due to non-payment of annual fee